Bug 20396

Summary: Abort caused by failed allocation due to invalid counter/attr
Product: WebKit Reporter: Tavis Ormandy <taviso>
Component: CSSAssignee: Beth Dakin <bdakin>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, mrowe
Priority: P2 Keywords: HasReduction, InRadar
Version: 525.x (Safari 3.1)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Patch darin: review+

Tavis Ormandy
Reported 2008-08-15 06:19:26 PDT
<style type="text/css"> body { content: counter(-7036167556735246188); } </style> (content: attr(-4687060260085016321); also works)
Attachments
Patch (2.89 KB, patch)
2008-09-30 16:07 PDT, Beth Dakin 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2008-08-15 08:14:06 PDT
Safari(77064,0xa0314d00) malloc: *** mmap(size=2276515840) failed (error code=12) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug Program received signal SIGABRT, Aborted. 0x934e970a in __kill () (gdb) bt #0 0x934e970a in __kill () #1 0x934e96fd in kill$UNIX2003 () #2 0x9355d75f in raise () #3 0x9356f205 in abort () #4 0x00444080 in WTF::fastMalloc (n=2276512446) at FastMalloc.cpp:192 #5 0x0288a47f in WebCore::newUCharVector (n=3285739871) at WebCore/platform/text/StringImpl.cpp:52 #6 0x0288d3b2 in WebCore::StringImpl::StringImpl (this=0x1b2c0e70, characters=0x4745d548, length=3285739871) at WebCore/platform/text/StringImpl.cpp:79 #7 0x0288cb19 in WebCore::StringImpl::create (characters=0x4745d548, length=3285739871) at WebCore/platform/text/StringImpl.cpp:1019 #8 0x02887874 in WebCore::String::String (this=0xbfff9b5c, str=0x4745d548, len=3285739871) at WebCore/platform/text/String.cpp:50 #9 0x022b76ab in WebCore::CSSParserString::operator WebCore::String (this=0x45e32b4) at CSSParserValues.h:36 #10 0x022c8f9e in WebCore::CSSParser::parseCounterContent (this=0xbfffb2ec, args=0x45e32a0, counters=false) at WebCore/css/CSSParser.cpp:2658 #11 0x022ccd6e in WebCore::CSSParser::parseContent (this=0xbfffb2ec, propId=1036, important=false) at WebCore/css/CSSParser.cpp:1972 #12 0x022ce7fe in WebCore::CSSParser::parseValue (this=0xbfffb2ec, propId=1036, important=false) at WebCore/css/CSSParser.cpp:618 #13 0x022b63a0 in cssyyparse (parser=0xbfffb2ec) at CSSGrammar.y:1211 Confirmed with TOT WebKit.
Mark Rowe (bdash)
Comment 2 2008-08-15 08:14:54 PDT
<rdar://problem/6152371>
Beth Dakin
Comment 3 2008-09-30 16:07:06 PDT
Created attachment 23958 [details] Patch
Darin Adler
Comment 4 2008-09-30 16:16:05 PDT
Comment on attachment 23958 [details] Patch r=me
Beth Dakin
Comment 5 2008-09-30 16:20:20 PDT
Fixed with r37122.
Note You need to log in before you can comment on or make changes to this bug.